According to information security specialists, about one hundred web application developers may have had inadequate access to the data of millions of Facebook users, as the company made a mistake that led to the revocation of some restrictions on the access to this information.
Because the data breach was publicly disclosed only through Facebook’s developer blog, this incident went almost completely unnoticed, except for some members of the cybersecurity community.
Although over a year ago Facebook group access parameters were updated, during this incident users’ names and profile photos, in addition to their activity logs in certain groups, remained accessible to specific developers, mentioned the company’s publication.
In addition, information security specialists point out of the nearly 100 developers with this access through the Facebook Groups API, at least a dozen would have been actively consulting this information over the past two months.
It should be noted that, before April 2018, Facebook group administrators could give app developers access to the group information. After the update in the group APIs, when an administrator authorized an app, developers can only access data such as group name, number of participants, and posts content.
These API updates are part of the measures implemented by Facebook after the Cambridge Analytica scandal was revealed, with which the company sought to improve its data usage policies for users and the companies that can access them.
Facebook claims that it has asked the developers involved to delete any records of information obtained through this improper access, adding that it will conduct some security audits to verify that this process is properly complied with. However, many information security experts believe that the company is not acting with full transparency, as the names of the developers, apps or Facebook groups involved were not disclosed, arguing security reasons.
Finally, the social media giant assured its users (although the message was addressed to developers) that until now there is no evidence to demonstrate abuse of this anomalous access; although when it comes to Facebook, data privacy always seems breached in one way or another.
This has been a convulsed year for Facebook in terms of data breach incidents, so authorities in various parts of the world have made relevant decisions. A few months ago, information security specialists from the International Institute of Cyber Security (IICS) reported a landmark decision by the Federal Trade Commission (FTC), which decided to impose a record $5 billion USD fine on Facebook for its multiple practices that violate various user data protection laws; still, many consider that this fine remains insufficient to put real pressure on these companies.